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Abstract: The quantum algorithms of Deutsch, Simon and Shor are described in a 
\ way which highlights their dependence on the Fourier transform. The general con- 

struction of the Fourier transform on an Ahelian group is outlined and this provides 
a unified way of understanding the efficacy of the algorithms. Finally we describe 
. an efficient quantum factoring algorithm based on a general formalism of Kitaev and 

^ ! contrast its structure to the ingredients of Shor' s algorithm. 

O 

o 

' The principal quantum algorithms which provide an exponential speedup over any 

known classical algorithms for the corresponding problems are Deutsch's algorithm 
0], Simon's algorithm |^ and Shor's algorithm Each of these rests essentially 
on the application of a suitable Fourier transform. In this paper we will outline the 
Ch ' construction of the Fourier transform over a general (finite) Abelian group and high- 

light its origin and utility in the quantum algorithms. This provides a unified way 
O^. of understanding the special efficacy of these algorithms. Indeed we have described 

elsewhere IQ how this efficacy may be explicitly seen as a property of quantum en- 
\ tanglement in the context of implementing the large unitary operation which is the 

H ' Fourier transform. 

From our general group-theoretic viewpoint we will see that Simon's and Shor's 
algorithms are essentially identical in their basic formal structure differing only in the 
choice of underlying group. Both algorithms amount to the extraction of a periodicity 
relative to an Abelian group G using the Fourier transform of G in a uniform way. 
This general viewpoint may also be useful in developing new quantum algorithms by 
applying the formalism to other groups. 

Kitaev |^ has recently formulated a group-theoretic approach to quantum algo- 
rithms. We will describe below a special explicit case of his general formalism - an 
efficient quantum factoring algorithm which appears to be quite different from Shor's. 
In particular, the Fourier transform as such, is not explicitly used. It is especially 
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interesting to contrast (rather than ahgn!) Shor's and Kitaev's algorithms as this 
may provide a new method - in addition to the ubiquitous Fourier transform - for 
constructing quantum algorithms. The quantum searching algorithm of Grover |^ is 
also based on the Fourier transform but is of a different character from those men- 
tioned above and we will not discuss it here. 

Some Notation 

We will write B = {0,1} for the additive group of integers mod 2 and denote by 
B the Hilbert space of one qubit (i.e. a 2 dimensional Hilbert space) equipped with 
a standard basis denoted by {|0) , |1)}. will denote the Hilbert space of n qubits. 
The dual basis of B denoted by {|0') , |1')} is defined by 

|0') = ^(|0) + |1)) |1') = ^(|0)-|1)) (1) 
H will denote the fundamental unitary matrix 



Thus = I and H interchanges the standard and dual bases. In terms of real 
geometry the dual basis lies on the 45° lines between the orthogonal directions |0) 
and |1) and H is the transformation given by reflection in a line at angle vr/S to the 
|0) direction. Thus the eigenvectors of H (parallel and perpendicular to the mirror 
line) are cos 1 10) ± sin | |1) belonging to A = ±1 respectively. We will see later that 
H is also the Fourier transform on the group B. 

The elements of 5" are n bit strings. If x = (xi, . . . , Xn) and y = (?/i, . . . , ?/„) are 
in i?" then we write 

x®y = {xi®yi,...,Xn® yn) G 5" 

x-y = {xiyi © ■ ■ ■ © Xnyn) e B 

(the operations on the RHS's being addition and multiplication mod 2 in B.) Note 
that X ■ y is the parity of the number of places where x and y both have a bit value 
of 1. 

Early Days 

The earliest quantum algorithms |]1], 0] were concerned with a situation in which 
we are given a "black box" or oracle that computes a function / : B and we 

are required to decide whether a certain "global" property (i.e. a joint property of 
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all the function values) holds of /. For quantum computation the black box is given 
as a unitary transformation Uf on n + 1 qubits given in the standard basis by 

Uf : 1x2) . . . |x„) \y) — > \xi) \x2) ■ ■ • |x„) \y © /(xi, . . . , Xn)) (3) 

" V ' 

input 

(We will often abbreviate \x2) ■ ■ ■ \xn) as |a;) for x G -B".) Thus if y is initially set 
to the value of / may be read from the last qubit. 

For our first problem, referred to as Deutsch's XOR problem we have n = 1 
so that / is one of the four possible functions f : B B. We are to decide whether 
/(O) ©/(I) is or 1. Equivalently we wish to decide whether / is a constant function 
or a "balanced" function (where balanced means that / takes one value and one 
value 1). Clearly any classical computer requires evaluating / twice to decide this. 
According to Deutsch's original method [Q, the problem may be solved on a quantum 
computer after running Uf only once but the algorithm succeeds only with probability 
I (and we know when it has been successful). The method is simply to run lAf on the 
input superposition ^(|0) + |1)) yielding the state ^(|0) |/(0)) + |1) |/(1))). Writing 
this state in the dual basis we have the four possibilities given by the two constant 
functions: 

V2 " ' l-^' " + ' ' '-^^ " I ;fe(|o) |i) + |i> |i» = 10') - 10') |1')) 

and the two balanced functions: 

1 nnM«n«^hM«,ul / 75(10) |0> + |1>|1» = J^(|0') |0') + |1') |1')) 
71 ^ = 1 |(|0) ID + ID |0» = |(|0') 10') - II') II')) 

Now measure the second qubit in the dual basis. If the result is 0' (which occurs with 
probability | in every case) then we have lost all the information about the function 
/. If the result is 1' then measurement of the first qubit will reliably distinguish 
between constant and balanced functions. 

In our second algorithm [0], referred to as Deutsch's algorithm, we are given n and 
a function / : B^ —>■ B. It is promised that / is either constant or balanced (where 
balanced means that / takes values and 1 an equal number of times i.e. 2"~^ times 
each). The problem is to decide whether / is balanced or constant. The method, 
described in detail in involves running Uf twice (and using H 0{n) times) to 
construct the state 

I/) = 4^ E (-1)^^^^ 1^) (4) 



on 



Then |/) for any constant function is orthogonal to the corresponding state for any 
balanced function and thus we can solve our decision problem with certainty by a 
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suitable measurement on the resulting state. The quantum algorithm always runs in 
time 0{n) whereas any classical algorithm (which gives the result with certainty in 
every case) will require time of 0(2") at least in some cases. 

Note that Deutsch's XOR problem is the n = 1 case of the above decision problem. 
However the above algorithm, running Uf twice, offers no advantage over the obvious 
classical algorithm for n = 1. Another distinction between the above two algorithms 
is that the XOR problem is solved only with probability 1/2 whereas the second 
algorithm is always succesful. An interesting recent innovation |TI[] fully unifies and 
considerably improves the above two algorithms: the XOR problem may be solved 
with certainty and the state in eq. (§) may be constructed by running Uf only once. 
The improved XOR algorithm is then precisely the n = 1 case of the improved Deutsch 
algorithm. The basic idea is to set the output register to the state ^(|0) — |1)) before 
applying Uf. Note that by eq. (^ 

u -iruim in^^l k)(|o)-|i)) if/(x) = o 

. \x} (|0) - |1)) ^ j _ (|o) _ |i)) if /(a;) = 1 

Thus 

V2 j-g^n V V2 / \V2 a-ggr, 

giving the state |/) in the first n qubits after only one application of Uj. The last 
qubit plays a curiously passive role in that its state is unchanged in the process. (This 
is reminiscent of the similarly passive role of the second register in Shor's algorithm 

ii). 

The explicit description of the measurement on |/) which distinguishes balanced 
from constant functions is significant for subsequent developments. We first apply the 
operation H to each of the n qubits of |/). Denoting the resulting ra-qubit operation 
by Hn we have, for each x e 5" 




Note that 



^n|o...o) = -= \y) 



On 



is the equal superposition of all the standard basis states and that up to an overall sign 
this coincides with |/) for / constant. Since H^Hn = / it follows that \ f) = |0 . . . 0) 
for / constant. Thus if / is balanced then Hn \ f) must be orthogonal to |0 . . . 0) i.e. 
I/) lies in the span of : x 7^ ... 0}. Hence to distinguish balanced from constant 
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functions we apply Hn to |/) and then read the bits to see whether they are all zero 
or not. 

The above measurement has 2" natural outcomes (i.e. all n-bit strings) and we 
may ask if there are special balanced functions which yield with certainty the other 
outcomes x G -B" in the same way that constant functions lead to the outcome ... 0. 
For each k G consider the function : i?" — B given by 

fk{x) = k-x 

It is easily verified that each is a balanced function for k ^ ... (giving a 
small subset of all possible balanced functions). We will see later that the operation 
Hn is the Fourier transform on the additive group i?" (also known as the Walsh or 
Hadamard transform) and the functions fk are the Fourier (Walsh, Hadamard) basis 
functions. For these functions we have 

Hn\fk) = \k) 

which follows readily by comparing eq. (^) with eq. (^ and the fact that HnHn = I. 
Thus our quantum algorithm can reliably distinguish the 2" functions fk after eval- 
uating the function only once! However this finer use of the measurement outcomes 
does not represent an exponential advantage over classical computation since the clas- 
sical evaluation of just n values of fk on the inputs 10 ... 0, 010 ... 0, up to ... 01 
will successively reveal the n bits of k. 

A significant feature of the problem of distinguishing balanced from constant func- 
tions is the following: if we tolerate any (arbitrarily small) non-zero probability of 
error in the result then we lose the exponential advantage of the quantum algorithm 
over classical algorithms. Indeed given any e, if we sample 0(— loge) random values 
of / then we can determine within error probability e whether / is balanced or con- 
stant by just claiming "constant" if all the sampled values are the same. However 
the 1 versus n gap between the quantum and classical identification of fk described 
above persists even if we tolerate a small probability of error in the result. This 
led Bernstein and Vazirani to amplify this gap to a super-polynomial size by a 
recursive procedure, leading to the first example of a problem which could be solved 
exponentially faster by a quantum algorithm than by any classical algorithm even if 
a small probability of error is tolerated. Soon thereafter Simon gave a simpler 
example. Below we will describe the structure of Simon's algorithm and Shor's algo- 
rithm emphasising their similarity, which will lead naturally to the general concept 
of the Fourier transform on an Abelian group. 

Simon's Algorithm 

We are given a "black box" (or oracle) which computes a function / : 5" 5". 
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The function is promised to be a 2-to-l function and have periodicity ^ G -B" i.e. 

f{x) = f{y) iSy = x®^ for all x,y e B"" (6) 

Our problem is to find ^ efficiently (i.e. in poly(n) steps, each evaluation of the 
function counting as one step). More precisely, the function is given as a unitary 
transformation Uf on defined by 

Uf : \x) \y) ^ \x) \y®f{x)). 

Simon's algorithm (omitting normalisation factors) is the following: 

Step 1. Start with the state |0 . . . 0) G and apply if„ to get J2x 1^)- 

Step 2. Apply Uf to (E \x)) |0) to get E \x) \f{x)). 

Step 3. Measure the value of register 2 and keep the corresponding state of register 
1. By eq. (||) the state of register 1 will have the form |xo) + \xo © ^) where 
xo G B"- has been chosen equiprobably. 

Remark. Thus we have set up a state involving a periodic superposition of |xo) and 
\xo © ^) (noting that xq©^©^ = xq etc.) This contains the desired information 
of ^ together with an unwanted randomly chosen Xq. A direct measurement of 
the label would yield any x G -B" equiprobably, providing no information at all 
about ^. 

Step 4. Apply Hn to get (c.f. eq. (D) 

Y: ((-i)--^ + (-i)(-°®«)-^)|i/) = ± e \y) 

yeB" y-y<=0 

(where the overall sign depends on xq). Note that if ?/ ■ ^ = 1 then the terms on 
the LHS will interfere destructively. 

Remark. The effect of if„ here is to wash out the unwanted xq from the labels and 
to invert the information of ^, recoding it as y such that y ■ ^ = 0. A direct 
measurement of the label will now yield information about ^. The same formal 
features will arise in Shor's algorithm below. 

Step 5. Measure the register to find a value of y (equiprobably) such that y ■ C, = 0. 

Step 6. Repeat the above to find enough yiS so that C, may be determined by solving 
the linear system yyC, = 0, . . . , y^-^ = . It may be shown that O(n^) repetitions 
suffice to determine ^ with any prescribed probability p < 1. 
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Shor's Algorithm 

Shor's algorithm for factoring a given number iV p, |^ proceeds by solving an 
equivalent problem: given any y coprime to find the order r of y mod A^. (Note 
that ify < N is chosen at random then we may use Euclid's algorithm to efficiently 
determine whether y is coprime to N or not. If it is not coprime, then the highest 
common factor of y and N gives a factor of N directly.) The order r of y mod is 
the least integer r such that 

y'" = 1 mod 

Let Zn denote the group of integers mod n. For any q we have a function 

f '■ 2g Zn 

f{x) = y"" mod A^ 

so that 

/(x + r) = /(x) if x + r<q (7) 

Note that because of the condition x + r < q, this function is not wholly periodic 
on Zq unless q is an exact multiple of (the unknown) r. However if q is chosen 
sufficiently large, then the slight spoiling of the periodicity at x near q (i.e. in one 
period only) will have a negligible effect. Ideally we would choose q = oo here for 
perfect periodicity in every case but in practice we require that q be finite. 

Thus Shor's algorithm combines two separate issues: firstly the extraction of the 
periodicity of / and secondly, dealing with the fact that / is not perfectly periodic. In 
our description below we will focus on the first issue and assume for simplicity that 
q is an exact multiple of r. We will discuss this assumption and the second issue at 
the end. 

Suppose we are given a fixed y coprime to A^ and we want to compute its order 
mod A^. The unitary transformation 

Uf : |a;i) \x2) \xi) \x2 + y^^ mod A^) Xi E Zq X2 E Zjq 

is efficiently computable ^ and will play the same role as f// in Simon's algorithm. 
Shor's algorithm proceeds by the following steps which parallel exactly the steps of 
Simon's algorithm. DFTq below denotes the discrete Fourier transform for integers 
mod q. It is defined by 

DFTq:\k)-^^Y.^'^''^\l) keZq (8) 

1=0 

and replaces Hn in Simon's algorithm. As before we will omit normalisation factors. 
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Step 1. Start with the state |0) (in a q dimensional Hilbert space) and apply DFTq 
to get ELo 

Step 2. Apply Uf to (E |0) to get E \x) |?/^ mod A^). 

Step 3. Measure the value of register 2 and keep the corresponding state of register 
1. This state will have the form J2x \xq + Xr mod q), where Xq G Zj. has been 
chosen equiprobably. 

Remark. As in Simon's algorithm a direct measurement of the label will give no 
information at all about r. 

Step 4. Apply DFTq. Using eq. (H) we get a state of the form 



Remark. Note that as in Simon's algorithm the random shift Xq has been eliminated 
from the labels and the information of r has been inverted as kq/r. 

Step 5. Measure the register to get a multiple c = k{q/r) where k E has been 
chosen equiprobably. Thus c/q = k/r where c and q are known. 

Step 6. Repeat the above until we get a result corresponding to k being coprime 
to r. Then r is obtained by cancelling c/q down to its lowest terms. It may 
be shown ^ that O(logA^) repetitions will suffice to determine r with any 
prescribed probability p < 1. 

Thus we see that Simon's and Shor's algorithms are structurally identical (in the ideal 
case that q is an exact multiple of r or g = oo). The group 5" and the operation 
Hn have been replaced respectively by the group Zq and operation DFTq. We will 
see in the next section that these operations are just the Fourier transforms for the 
respective Abelian groups and the general construction of the Fourier transform will 
clarify their role in the preceeding algorithms. 

In general q cannot be guaranteed to be a multiple of r. Let us write q = Kr + a 
with a < r < N and let go = Kr. In step 3 of the algorithm, instead of 
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K-l 





A=0 



we will get 



1 



K 



ko + Ar) 



A=0 
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possibly containing at most one extra term (as written) if xq < a. Thus for sufficiently 
large K, lipq^) and \ipq) may be as close as desired. In step 4 we will apply DFTq to 
\iljq) rather than DFTq^ to iV'go)- However g — go = o < so if g is chosen sufficiently 
large compared to we may expect that the two actions will result in close outcomes. 
In step 5 c will not be an exact multiple of g/r but will be near to such a multiple 
with high probability. These intuitive remarks may be formalised ^] to show that 
a choice of g of order N"^ suffices determine r. In step 5 the fraction k/r is then 
uniquely determined from the suitably close rational approximation c/g by using the 
theory of continued fractions 0. 

The Fourier Transform on an Abelian Group 

Let G be a (finite) Abelian group and let H be a Hilbert space with an orthonormal 
basis {\g) '■ g & G} (the "standard" basis) labelled by the elements of G. There is a 
natural unitary shifting action of G on 7i given by 

h:\g)^\hg) h, g E G (9) 

Note that we use multiplicative notation for the operation in the group G and we use 
the same symbol (e.g. h in eq. (^ above) to denote a group element and its unitary 
action on Ti. 

Let / : G ^ X be a function on the group (taking values in some set X) and 
consider 

K = {keG: f{kg) = f{g) for all g E G} 

K is necessarily a subgroup of G called the stabiliser or symmetry group of /. It 
characterises the periodicity of / with respect to the group operation of G. Given 
a device that computes /, our aim is to determine K. More precisely we wish to 
determine K in time 0(poly(log |G|)) where |G| is the size of G and the evaluation of 
/ on an input counts as one computational step. (Note that we may easily determine 
K in time 0(poly(|G|)) by simply evaluating and examining all the values of /). 
Further discussion of this time constraint will be given in the next section. 
We begin by constructing the state 

l/) = ^El^?)l/(^?)) 

\ \G\ geG 



and read the second register. Assuming that / is suitably non-degenerate - in the 
sense that f{gi) = /(fi'2) iff gig2^ ^ ^ that / is one-to-one within each period - 
we will obtain in the first register 

mgo)) = ^ E \9ok) (10) 

\K\ k&K 
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corresponding to seeing f{go) in the second register and go has been chosen at random. 

Examples. In Simon's algorithm G is the additive group 5" and K is the cychc 
subgroup {0,,^} generated by ^. In Shor's algorithm G is the additive group Zg and 
K is the cyclic subgroup {0, r, 2r, . . .} generated by r. In each case K is specified by 
giving its generator. The state ( p!OD is obtained in step 3 of the algorithm. □ 

Remark. The construction leading to the state ( p!OD applies in a more general context 
than just a function on a group. Suppose we have any mathematical object F with 
an action of the group G on it: 

g : F ^ gF such that {gig2)F = gi{g2F). 

The symmetry group of F is the subgroup K = {k & G : kF = F}. By constructing 
J2g \g), applying it to a suitable state description \F) of F and reading the second 
register we obtain the state J2k \gok) as in eq. (p^Ol). □ 

In eq. ( |T0| ) we have an equal superposition of labels corresponding to a randomly 
chosen coset of K in G. Now G is the disjoint union of all the cosets so that if we read 
the label in eq. (|10|) we will see a random element chosen equiprobably from all of G 
yielding no information at all about K. The Fourier transform will provide a way of 
eliminating go from the labels which may then provide direct information about K. 
We first construct a basis \xi) of states which are shift invariant in the sense: 

g \X^) = e^-(^) Ix^) for all g EG 

Such states are guaranteed to exist since the shift operations g are unitary and they 
all commute. Next note that the state in eq. (p!0| ) may be written as a ^^o-shifted 
state: 

j:\9ok)=go(Y.m 

k&K \k£K J 

Hence if we write this state in the basis {\Xi) ; = 1; • • • ; 1^*1} then J2k \k) and J2k \gok) 
will contain the same pattern of labels, determined by the subgroup K only. The 
Fourier transform is simply defined to be the unitary operation which transforms the 
shift-invariant basis into the standard basis. After applying it to eq. (|1^) we may 
read the shift-invariant basis label by reading in the standard basis. This explains 
the essential role of the Fourier transform in step 4 of the algorithms. 

The shift- invariant states \xi) are constructed using some basic group representa- 
tion theory |12[. Consider any (nonzero) complex valued function on the group 

which respects the group operation in the sense that 

xigm) = x{gi)x{g2) (ii) 
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For Abelian groups these are the irreducible representations |T2| of G. By hsting the 



values X ^i^iy also be viewed as a complex vector of dimension \G\. 

For our purposes the essential properties of these functions are the following (c.f. 
[T^ for a full discussion and proofs). 



(A) Any value x{9) is a |G'|*'^ root of unity. 

(B) Orthogonality (Schur's lemma): For each i and j 

4^Ex.(^7)xM=% (12) 
l<^l see 

(where the overline denotes complex conjugation). 

(C) There are always exactly \G\ different functions x satisfying eq. (0). 

It is remarkable that the simple condition eq. ( pT]) has such strong consequences. In 
particular the orthogonality condition (B) entails the fact that the Fourier transform 
as a linear transformation is unitary rather than just invertible. This appears to 
make no significant difference for classical computation but it is crucial for quantum 
computation! 

Since (B) provides the fundamental connection to quantum computation we give 



a simple proof of it (incorporating also (A)). Note that by (|TT]) x(e) = 1 where e is 



the identity of G. Also (by Lagrange's theorem) we have g^^^ = e for all g E G. Hence 
x{g) is always a IGI**^ root of unity so x{g) = x{g~^)- Now for any Xi, X2 consider: 

Xiih) (Exi(^?)X2(r') I =T.Xiihg)x2ig-') 

\geG J geG 

= Y.Xi{g)X2{r^h) {putting g = hg) (13) 

96G 



^Xiig)X2ig ^) X2{h) 



Hence for every h E G 



ixiih)-x2ih))J2xiig)x2ig) = o 



giving orthogonality if Xi X2- If Xi = X2 = X then 



E xig)x{g) = E x{g)x{g-') = E x(e) = E i = l^^l 
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completing the proof of (0). 

For any function Xi satisfying eq. (|lT]) consider the state 



\xi) = -j= Xiig) Ig) 

\G\ geG 



The orthogonahty relation (|T2D implies that the states {\xi) : ^ = 1, • • • , 1^1} form an 
orthonormal basis of Ti, called the Fourier basis. Furthermore these basis states are 
shift-invariant in the required sense: 

h\x^)=X^{h)\x^) heG (14) 

which is easily verified using eqs. ([TT|) and making the same replacement as in 
eq. (0). 

Let us choose an ordering gi, (72, ... , g\G\ of the elements of G. The Fourier trans- 
form FT on G (with respect to the ordering) is defined to be the unitary transfor- 
mation which maps \xi) to \gi). Thus in the ordered basis the matrix of FT is 
formed by listing the values of the functions Xi rows: 

[FTh = -4^X^i9,) (15) 
V 1^1 



Examples. \i G = Zq then the q functions Xk are defined by 

Xfc(l) = e^-'^/'? A; = 0,...,g-1 

and by (|TTD Xkijn) = Xfc(l)™ = exp2Trikm/q for all m G Zg. These values scaled by 
y/q are the rows of the matrix of DFTq. 
For G = 5" the 2^ x functions are 

X,{x) = (-1)^-" for all x^aeB"" 

which (scaled by v^2^) are the rows of the Hadamard transform if„ (c.f. eq. (^). 

Efficient Computation of the Fourier Transform 

The Fourier transform FT on G is a unitary operation of size It is known 
|l|, ^ that any unitary operation of size d may be implemented in time 0(c?^) but this 
does not suffice for our application of FT. In Simon's algorithm |G| = 2" but we want 
the algorithm to run in poly(n) time and in Shor's algorithm \G\ = 0{q) = 0{N'^) 
and we want the algorithm to run in poly(logA^) time. Thus we want to implement 
FT in poly(log |G|) time. 

In classical computation the application of a matrix of size \G\ requires time 
0(|Gp). The classical fast Fourier transform (FFT) algorithm (applicable to certain 
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groups) improves this to OdGj log \ G\) but this, in itself, does not suffice for our quan- 
tum algorithms since it is still exponetial in log |G|. It may be seen that in a quantum 
context the implementation of the FFT algorithm combines with extra non-classical 
properties of entanglement to provide an algorithm which runs in 0(poly(log IGj)) 
time. This feature has been elaborated in @] and is also discussed in |jl3|. 

Kitaev's Algorithm 

An approach to the construction of quantum algorithms based on group-theoretic 
principles (for Abelian groups) has recently been developed by Kitaev [0]. We describe 
here an explicit example of his general formalism - an alternative efficient quantum 
factoring algorithm. This algorithm, in contrast to Shor's, does not explicitly require 
the Fourier transform to be performed and appears to be based on different principles. 

Kitaev's algorithm, like Shor's, proceeds by finding the order r of a number y 
coprime to A^. Let U : TYat — > TYat be the unitary operator on an A^ dimensional 
Hilbert space given by "multiplication by y" (easily implementable efficiently): 

U : |m) \my mod A^) m = 0, . . . , A^ — 1 (16) 

Thus we will be focussing on the multiplicative structure of the integers mod A^ 
(rather than the additive structure) and working in a Hilbert space of dimension A^. 
We do not need to choose a g ~ 0{N'^) as in Shor's algorithm and the associated 
complications of q not being an exact multiple of r do not arise. 

Since = I we see that the eigenvalues of U are r*^ roots of unity i.e. = 
exp{—2TTik/r),k = 0, ...,r — 1. It is straightforward to verify that the following 
states |Afc) are eigenstates of U belonging respectively to the eigenvalues X^. 

1 ''"^ Ik 

|Afc) = — ^exp(27ri— ) yVod A^) k = 0,...,r-l (17) 



r — r 



and that 



r—l 



^ k=0 



Remark. The fact that ( [171) are eigenstates of U is closely related to our previous 
construction of shift invariant states. Indeed the multiplicative group of powers of y 
mod A^ is isomorphic to the additive group Zr (where we associate y^ with / G Zr). 
Under this isomorphism the operation U becomes the shift operation of "adding 1" 
in Zr- Then (|l^ gives precisely the shift invariant states of Zr but written with 
multiplicative labels y^ mod A^ rather than the additive labels I ^ Zr. 
Eq. (|18D is simply derived by noting that each |Afc) in (plT]) contains |1) with amplitude 
l/\/r. Hence the sum in (^) contains |1) with amplitude 1 so that all other |/c)'s 
with k 1 must have amplitude as (|1^) is a normalised state. This equation also 
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has a group-theoretic origin. It may be shown [|T^ that for any group G if we sum 
all the Xi functions we get: 

. , / lif^7 = e 
\G\{r{^'^^^ \ Oif^^e 

Then (0) follows immediately using the above interpretation of |Afc) as shift invariant 
states. □ 

Suppose now that we have an efficient procedure for measuring the eigenvalues 
of a unitary operator. More precisely, given a quantum device which computes an 
n-qubit operation U and an eigenstate |A) of [/, suppose that we can compute the 
value of A efficiently i.e. in time O (poly (log n)). Suppose furthermore that on an 
input superposition of eigenstates Y^^k \ '^k) the procedure returns some one of the 
eigenvalues A^ with probability \ak\'^. Then applying this procedure to U and the 
state |1) above, we will be able to efficiently find a value of k/r chosen equiprobably 
for = 0, . . . , r — 1. As in Shor's analysis, this suffices to factor N efficiently. It is 
remarkable that the apparently humdrum state |1) (when viewed appropriately as in 
eq. (|l5)) contains the information to factorise any given number! 

How to Measure the Eigenvalues of ?7 [)7| 

Suppose we are given a "black box" which computes U : ^ , a unitary 
operation on n qubits, and also an eigenstate |A) oiU with A = exp27ri0. We want 
to measure 0. The basic idea is to set up a state |a) = a/Po|0) + ^fpi\l) whose 
amplitudes depend on 0. Then by sufficiently many measurements on copies of |a) 
we can estimate the probabilities Po^Pi £^iid hence 0. 

We first describe how to implement A(f/), the "controlled-?/" operation on n + 1 
qubits (which includes one "control qubit"). 

Let r : B^" on two n-qubit registers A", 3^ be the addition of n-bit strings: 

r : \x) \y) t— > |a;) \x ®y) x,y E i3" 

Let A(r) : ^^n+i _^ ^^n+i^ 1-qubit control register C with X and 3^, be the 

controlled r operation: 

A(r) : |0) \x) \y) ^ |0) \x) \y) A(r) : |1) \x) \y) ^ |1) \x) \x © y) 

Similarly let A(f/) : j^n+i registers C and X be the controlled-t/ operation: 

K{U) : |0) \x) ^ |0) \x) A{U) : |1) \x) ^ |1) U \x) 

Let N be the operation of negation in the register C. 
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Suppose that U |0) = |0). Then A(f/) can be implemented as follows. In addition 
to the n— qubit register XofUwe introduce a 1-qubit control register C and an extra 
n— qubit register 3^. Consider the sequence of operations (reading from left to right) 
in which the square brackets denote the registers to which the operations are applied: 

N[C] AiT)[C,X,y] Air)[C,y,X] U[X] A{r)[C,y,X] AiT)[C,X,y] N[C] 

If y is initially set to |0) then after these operations y will again be |0) and A{U) will 
have been effected on the registers [C,*^]. This is readily seen by a straightforward 
calculation. The A(r) operations on either side of U[X] simply serve to swap the 
states of the registers X and y. Thus if C is |0) the states in X and y are swapped 
and U is merely applied to |0). If C is |1) then the states are not swapped and U is 
applied to the original contents of X. 

To measure (j) consider the following procedure PROC: 
Start with registers [C,X] in state |0) |A). Apply H to C, then A(f/) to [C, X], then 
H to C again. This results in the following state in [C, X]: 

I A) = Q(l +exp27r^0) |0) + ^(1 - exp 27r^0) |1)) |A) 

Note that the eigenstate in X has not been corrupted and may be used again. Finally 
measure the control register. This will yield or 1 with probability distribution V 
given by: 

1 1 

Pq = -{1 + cos 271(f)) Pi = -(1 - cos27r0) 

To get the information of (f) we just repeat PROC for many independent control 
qubits, sampling the distribution V sufficiently many times to get an adequate esti- 
mate of Pq. Suppose we apply PROC t times successively, starting with t control 
qubits and ending in the state \ipx) IV'a) • • • IV'a) |A) and then sample V t times. Let 
y be the number of times that outcome "0" occurs. Then by the weak law of large 
numbers, for any 5 > 

Prob f if - Pol >5)< ^exp {-^\ ^ e (19) 

Thus with t repetitions we can measure po (i-e. </>) to precision 5 with error probability 
e. Note that for fixed 5 the error probability e decreases exponentially with t i.e. 
t = 0(log(l/e) but the precision 6 (for fixed e) cannot be efficiently improved - 
for each extra bit of precision, 6 —>■ 6/2 , we require t —>■ 4t in (|19D to maintain a 
constant level of e. Hence by this direct method, the number of bits of precision 
can be improved only by a correspondingly exponential increase in computing effort - 
0(4') steps for / bits of precision. This is unacceptable. To get around this difficulty 
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let us suppose that not only U is efficiently computable (i.e. in poly(?2) steps) but 
also that: 



Assumption: f/^^^^ can be computed in poly(j, ra) steps (20) 

This assumption is valid in our application of U being "multiplication by y" . U"^^ 
is then "multiplication by y^^" which can be implemented by a sequence of j re- 
peated squarings, starting with y. It will not, however, be valid for a general unitary 
transformation U . 

Now assuming (^) we can efficiently improve the precision 5 as follows i.e. obtain 
I bits of po with computing effort poly(/). Note that |A) is an eigenstate of f/^^ with 
eigenvalue exp (27ri[2-'0 mod 1]). To obtain / bits of (j) with error probability < e we 
measure (as above) the values of 2-'0 mod 1 for j = 0, — 1, to a fixed precision 
5 = 1/8 with error probability < e/l. Now if we write in binary then 2^(f) has 
the point shifted j places to the right and "mod 1" removes the integer part. Thus 
knowing 2^(f) mod 1 to ±| gives the ffist few bits of 2^(j) mod 1 i.e. bits j and j + 1 
of (f) itself. Hence we get about / bits of precision of (p. The probability that all these 
bits are correct exceeds (1 — e/lY > 1 — e. This completes the efficient approximation 
of under the assumption (pO|) above. 

Generally (as in Kitaev's factoring algorithm) we will not have available a pure 
eigenstate of U but instead some superposition J2(^x\^)- If we apply PROC to this 
state with t control bits we will obtain J2 (^x IV'a) • • • I'^'a) |A) so that a measurement of 
the control bits will yield one of the eigenvalues A with probabilities |aAp. i.e. if we 
trace out the eigenstate register |A) the t control qubits are in a mixture of the repeated 
states IV'a) • • • IV'a) with probabilities \ax\'^. Note that we must apply PROC t times 
before any measurement of the control qubits is made. Otherwise each successive 
measurement will provide information about a different eigenvalue and finally we will 
only obtain information about the average value of the A's weighted by |aAp) rather 
than about some one of the A's. 

In most cases the eigenvalues exp{2iTi(j)) will have rational values of 0, = a/b. 
This is because the t/'s of interest will have finite order i.e. [/™ = I for some m so 
that (f) = k/m for some k. For example if U is "multiplication by y" then f/'' = / so 
that must have the form k/r (as noted previously). In this situation we can find 
exactly, rather than just approximately, by choosing a suitably high precision 6. The 
minimum separation between any two rational numbers with denominators r is 1/r 
so we can get (p = k/r exactly by measuring it to precision l/2r > 1/2N i.e. 1 + logiV 
bits. 

Thus we obtain an efficient factoring algorithm based on the novel idea of deter- 
mining an eigenvalue of a given simple unitary operation. Some of the formalism 
of Kitaev's algorithm may be related to Shor's method by using the decomposition 
of the Fourier transform given in |]T^ but it would be interesting to consider other 
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problems that might be formulatable in terms of the determination of eigenvalues. 
Conclusions 

We have seen that the principal known quantum algorithms all revolve around 
one essential construction, that of the Fourier transform on an Abelian group. Fur- 
thermore the quantum computational speedup provided by these algorithms may be 
attributed to (non-classical) properties of entanglement operating within the imple- 
mentation of classical fast Fourier transform algorithms on a quantum computer ^j. 
Clearly it would be of great interest to have other basic ingredients for the construction 
of new quantum algorithms. Kitaev's formalism |^ as we have illustrated, appears to 
involve such an ingredient. The mathematical construction of the Fourier transform 
also extends to non- Abelian groups and it would be interesting to investigate prob- 
lems which can be formulated in terms of non- Abelian Fourier transforms and the 
possiblity of their implementation on a quantum computer. This line of development 
has also been advocated by Hoyer ]T3| . 
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